It’s not only possible, but likely, say researchers at Columbia University, who claim they've discovered a new class of computer security flaws that could impact millions of businesses, consumers, and even government agencies.
Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reported by msnbc.com. They say there's no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too – and there's no way to tell if hackers have already exploited it.
The researchers, who have working quietly for months in an electronics lab under a series of government and industry grants, described the flaw in a private briefing for federal agencies two weeks ago. They told Hewlett-Packard about it last week.
HP said Monday that it is still reviewing details of the vulnerability, and is unable to confirm or deny many of the researchers’ claims, but generally disputes the researchers’ characterization of the flaw as widespread. Keith Moore, chief technologist for HP's printer division, said the firm "takes this very seriously,” but his initial research suggests the likelihood that the vulnerability can be exploited in the real world is low in most cases.
“Until we verify the security issue, it is difficult to comment,” he said, adding that the firm cannot say yet what printer models are impacted.
But the Columbia researchers say the security vulnerability is so fundamental that it may impact tens of millions of printers and other hardware that use hard-to-update “firmware” that’s flawed.